Pages

Tuesday, January 17, 2012

Jan 26, 2012:
None of the stuff below matters because my original exploit sucked, but I managed to convert it to a Metasploit module and automate the SID gathering process: http://www.exploit-db.com/exploits/18420/

Jan 15, 2012:
Here are the notes and assumptions for the Sysax bug I found:

HTTP has to be enabled as a connection protocol which is not a default setting. This essentially turns the FTP server into a web based file transfer service.

This exploit requires authentication.

The authenticated user needs to have "create" permission for folders enabled, which is also not a default setting.

This exploit requires a "SID" parameter. This can be found by logging into the web app and clicking on the "create folder" link. The SID is in your address bar. It's 40 bytes long between the = and &. I could not figure out how this was generated by the system so this is a manual process.

Sysax Multi Server runs as LOCALSYSTEM by default ;)

I suspect there are other bugs in this web app. During fuzzing, I was able to get this app to crash but this was the only bug that would consistently crash the app.

Bravo to the vendor for quickly addressing this issue 2 days after I reported it and posting a fix, version 5.52.